# Debian Preseed Configuration for Football System
# This preseed file answers most questions automatically
# User only needs to set: username/password, root password, target disk

# Locale
d-i debian-installer/locale string en_US.UTF-8
d-i keyboard-configuration/xkb-keymap select us

# Network configuration (DHCP - will be reconfigured later)
d-i netcfg/choose_interface select auto
d-i netcfg/get_hostname string football
d-i netcfg/get_domain string localdomain

# Mirror configuration
d-i mirror/country string manual
d-i mirror/http/hostname string deb.debian.org
d-i mirror/http/directory string /debian
d-i mirror/http/proxy string

# Clock and timezone
d-i clock-setup/utc boolean true
d-i time/zone string UTC

# User creation - MANUAL (not automated)
# User will be prompted to create account during install
# Password complexity enforced during install via PAM

# Root password - MANUAL (not automated)
# User will be prompted for root password during install
# Password complexity enforced during install via PAM

# Partitioning (User selects disk, we handle the rest)

# ============================================================================
# Password Complexity Enforcement (During Install)
# ============================================================================

# Enforce password complexity checks during installer
# These settings apply to BOTH root password and user password
passwd/user-password-checks string critical
passwd/user-password-weak boolean false
passwd/user-password-empty boolean false

# Password complexity (enforced by PAM during install)
# PAM will check against pwquality.conf during password entry
# See config/security-config.sh for full pwquality requirements
d-i partman-auto/method string lvm
d-i partman-lvm/device_remove_lvm boolean true
d-i partman-lvm/confirm boolean true
d-i partman/choose_partition select finish
d-i partman/confirm boolean true
d-i partman/confirm_nooverwrite boolean true

# LVM setup
d-i partman-auto-lvm/guided_size string max

# Base system installation
d-i base-installer/kernel/image string linux-image-amd64

# Account setup (User will provide these)
d-i passwd/user-fullname string Football User
d-i passwd/username string user
d-i passwd/user-password password changeme
d-i passwd/user-password-again password changeme
d-i passwd/root-password password changeme
d-i passwd/root-password-again password changeme

# User is not sudo by default - will be configured later
d-i passwd/user-default-groups string audio,dialout,video

# Package selection - Minimal system
tasksel tasksel/first multiselect standard

# Individual packages to install
# MUST include pwquality BEFORE any password setting
d-i pkgsel/include string \
    libpam-pwquality \
    libpwquality \
    xscreensaver \
    wireguard \
    wireguard-tools \
    vim \
    less \
    bash-completion \
    iproute2 \
    iputils-ping \
    curl \
    wget \
    rsync \
    aide \
    aide-common \
    auditd \
    rsyslog \
    logrotate \
    grub-efi-amd64 \
    grub-efi-amd64-bin \
    efibootmgr \
    dosfstools \
    parted \
    fdisk \
    sudo \
    icewm \
    icewm-themes \
    xorg \
    xserver-xorg-video-intel \
    xserver-xorg-video-ati \
    xserver-xorg-video-amdgpu \
    xserver-xorg-video-nouveau \
    xserver-xorg-input-libinput \
    xinit \
    remmina \
    remmina-plugin-rdp \
    network-manager \
    network-manager-gnome \
    udisks2 \
    udisks2-btrfs \
    gvfs-backends \
    gvfs-fuse \
    xautolock \
    x11-xserver-utils \
    lightdm \
    lightdm-gtk-greeter

# Display Manager (Graphical Login)
d-i tasksel/desktop string lightdm
d-i tasksel/first boolean true

# Boot loader
d-i grub-installer/bootdev string default
d-i grub-installer/only_debian boolean true
d-i grub-installer/with-other-os boolean true

# Finish the installation
d-i finish-install/keep-consoles boolean true
d-i finish-install/reboot_in_progress note

# Prevent package questions during install
d-i preseed/late_command string \
    in-target systemctl enable lightdm && \
    in-target systemctl set-default graphical.target && \
    in-target chmod 755 /home/user && \
    in-target chown -R user:user /home/user && \
    in-target systemctl mask ssh sshd 2>/dev/null || true && \
    in-target systemctl disable ssh sshd 2>/dev/null || true && \
    in-target systemctl mask bluetooth 2>/dev/null || true && \
    in-target cp /cdrom/config/disable-wifi-bt.sh /tmp/ && \
    in-target bash /tmp/disable-wifi-bt.sh && \
    in-target cp /cdrom/config/security-config.sh /tmp/ && \
    in-target bash /tmp/security-config.sh && \
    in-target cp /cdrom/scripts/verify-system.sh /usr/local/bin/ && \
    in-target chmod +x /usr/local/bin/verify-system.sh && \
    in-target cp /cdrom/config/football-first-boot.service /etc/systemd/system/ && \
    in-target mkdir -p /home/user/.config/autostart && \
    in-target cp /usr/share/applications/remmina.desktop /home/user/.config/autostart/ && \
    in-target chown -R user:user /home/user/.config && \
    in-target systemctl daemon-reload && \
    in-target systemctl enable football-first-boot.service && \
    in-target rm -f /tmp/disable-wifi-bt.sh /tmp/security-config.sh

# Security configuration will be applied post-install via harden.sh